b"February 12, 2001\nAudit Report No. 01-006\n\n\nAudit of the FDIC\xe2\x80\x99s Application\nMaintenance Budgets\n\x0c                          TABLE OF CONTENTS\n\n\nBACKGROUND                                                    1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                            3\n\nRESULTS OF AUDIT                                              4\n\nPROPERLY CATEGORIZING MAINTENANCE AND\nNON-MAINTENANCE EXPENDITURES WILL ENHANCE THE\nACCURACY OF INFORMATION TECHNOLOGY COST DATA                  5\n\n      Recommendation                                          7\n\nBETTER DEFINING APPLICATION MAINTENANCE WILL\nSTRENGTHEN INFORMATION TECHNOLOGY BUDGETING\nAND REPORTING                                                 7\n\n      Recommendations                                         9\n\nFOCUSING ON KEY APPLICATION MAINTENANCE\nCOMPONENTS WILL PROVIDE SENIOR DIRM\nMANAGEMENT VALUABLE DECISION-MAKING\nINFORMATION                                                   9\n\n      Recommendation                                         11\n\nCORPORATION COMMENTS AND OIG EVALUATION                      11\n\nFIGURES\n     Figure 1: Portion of FDIC\xe2\x80\x99s Budget Related to IT        2\n     Figure 2: Portion of IT Budget Related to Maintenance   2\n\nAPPENDIX I \xe2\x80\x93 CORPORATION COMMENTS                            13\n\nAPPENDIX II \xe2\x80\x93 MANAGEMENT RESPONSES TO\n              RECOMMENDATIONS                                17\n\x0cFederal Deposit Insurance Corporation                                                          Office of Audits\nWashington, D.C. 20434                                                             Office of Inspector General\n\n\n\n   DATE:            February 12, 2001\n\n   TO:              Donald C. Demitros, Chief Information Officer and\n                    Director, Division of Information Resources Management\n\n\n\n   FROM:            David H. Loewenstein\n                    Assistant Inspector General\n\n   SUBJECT:         Audit of the FDIC\xe2\x80\x99s Application Maintenance Budgets\n                    (Audit Report No. 01-006)\n\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed an audit of the FDIC\xe2\x80\x99s maintenance budgets for its application systems. This audit\n   was conducted based on information gathered during a previous OIG audit entitled Audit of the\n   FDIC\xe2\x80\x99s Strategic Planning for Information Technology Resources (Audit Report No. 00-013).\n   During our previous audit we identified a general perception at the FDIC that application\n   maintenance expenditures were higher than they should have been. Part of this perception was\n   caused by the fact that application maintenance has represented one of the largest components of\n   the FDIC\xe2\x80\x99s information technology (IT) budget in recent years. Division of Information\n   Resources Management (DIRM) and program office officials had also expressed concern during\n   our previous audit about how application maintenance expenditures were being categorized and\n   reported.\n\n   Our audit identified opportunities for DIRM to improve the manner in which it manages IT\n   expenditures classified as application maintenance. The report contains four recommendations\n   designed to improve the manner in which DIRM defines, categorizes, and monitors application\n   maintenance expenditures.\n\n\n   BACKGROUND\n\n   The FDIC invests a significant amount of resources in IT each year. The FDIC\xe2\x80\x99s $202 million IT\n   budget for 2000 represents approximately 17 percent of the Corporation\xe2\x80\x99s $1.2 billion annual budget.\n   The FDIC expects to invest an additional $185 million in IT resources during calendar year 2001.\n   The large investment that the FDIC makes in IT each year reflects the vital role that technology plays\n   in accomplishing the FDIC\xe2\x80\x99s business goals and objectives. It also underscores the need for sound\n   internal controls and performance measures to ensure that these valuable resources are deployed in\n   an optimal manner.\n\x0cApproximately $33.81 million of the FDIC\xe2\x80\x99s $202 million IT budget for 2000 has been budgeted to\nmaintain the FDIC\xe2\x80\x99s approximately 4702 business applications to ensure that they continue to satisfy\nthe business needs and objectives of the Corporation. This IT work is referred to as \xe2\x80\x9capplication\nmaintenance.\xe2\x80\x9d Figures 1 and 2 below illustrate the FDIC\xe2\x80\x99s planned level of spending on IT and\napplication maintenance, respectively, during 2000.\n\n\n\n          Figure 1: Portion of FDIC's                                   Figure 2: Portion of IT Budget\n             Budget Related to IT                                          Related to Maintenance\n\n                                   IT Budget                                                        Application\n    83%                            $202 Million                   83%                               Maintenance\n                                                                                                    $33.8 Million\n                                   Corporate                                                        IT Budget\n                                   Budget                                                 17%\n                                                                                                    $202 Million\n                         17%\n                                   $1.2 Billion\n\n\nProgram divisions and offices also invest significant resources to maintain the FDIC\xe2\x80\x99s business\napplications. However, we were unable to quantify these costs because program divisions and\noffices were not required to track and report IT costs. We reported on the need to track program\noffice costs relating to IT projects and associate these costs with DIRM expenditures in three\nprevious OIG audit reports.3 We recommended that the Chief Financial Officer, Division of Finance\nDirector, and Chief Information Officer (CIO) and DIRM Director work with the FDIC\xe2\x80\x99s divisions\nand offices to ensure that full life-cycle costs associated with IT investments, including program\noffice costs, are tracked, reported, and compared to initial estimates. The FDIC plans to implement\nprocedures in 2001 to allow IT expenditures incurred by non-DIRM organizations to be captured and\nrelated to DIRM\xe2\x80\x99s IT projects. When fully implemented, this process will allow the FDIC to identify\nand evaluate the true total costs of individual IT projects from a corporate perspective.\n\nThe IT Technical Committee defined application maintenance in its 2000 IT budget formulation\nprocedures as \xe2\x80\x9cproduction monitoring, emergency fixes, software package version upgrades and\nminor enhancements to an application system or group of application systems.\xe2\x80\x9d In addition, DIRM\ndeveloped a more detailed, but informal, definition of application maintenance. The more detailed\n\n1\n It is important to note that the $33.8 million figure does not include approximately $8.8 million in license and\nmaintenance fees related to the purchase of third-party software products that operate on the desktop, server, and\nmainframe computing environments. Examples of these products include the Microsoft Office Suite, Entrust, Forest\nand Trees, Walker, and DB2. DIRM categorized fees for third-party software products as technical infrastructure\nexpenditures.\n2\n As of October 18, 2000, there were 470 production applications contained in the FDIC\xe2\x80\x99s Corporate Data\nRepository.\n3\n The three OIG audit reports were Audit of FDIC Resource and Cost Tracking Systems for Information Systems\nProjects (Audit Report No. 98-019), dated February 27, 1998; Follow-on Audit of FDIC\xe2\x80\x99s General Examination\nSystem Development Project (Audit Report No. 99-020), dated March 31, 1999; and Audit of the FDIC\xe2\x80\x99s Strategic\nPlanning for Information Technology Resources (Audit Report No. 00-013), dated March 31, 2000.\n\n\n                                                        2\n\x0cdefinition provides DIRM\xe2\x80\x99s program managers with a more detailed level of specificity to develop\nand manage individual maintenance budgets for the FDIC\xe2\x80\x99s business applications. However, as\ndiscussed in a subsequent section of this report, DIRM needs to modify its definition of application\nmaintenance to ensure that it meets traditional and generally accepted definitions of maintenance.\n\nDIRM tracked and reported its application maintenance expenditures using IT project numbers.\nDIRM established a unique IT project number for each FDIC application with annual maintenance\ncosts exceeding $200,000. Applications with annual maintenance costs of less than $200,000 were\ngrouped by FDIC division and office into a single application maintenance project called \xe2\x80\x9cother\nmaintenance.\xe2\x80\x9d\n\nDIRM took steps during our review to improve the manner in which it categorized application\nmaintenance expenditures. For example, as part of the 2001 IT budget planning process, DIRM\nestablished a separate IT category for on-line data services, such as LEXIS-NEXIS and Westlaw.\nPreviously, expenditures for on-line data services had been categorized as application maintenance.\nSeparating these expenditures from application maintenance improved the accuracy with which IT\nexpenditures are categorized. DIRM also initiated actions that, when fully implemented, will\nindirectly benefit DIRM\xe2\x80\x99s planning and administration of application maintenance expenditures.\nThese include plans to establish a formal IT configuration management program and actions to re-\nengineer and consolidate the FDIC\xe2\x80\x99s stand-alone systems, where appropriate.\n\nThese positive actions serve, in part, to accomplish DIRM\xe2\x80\x99s strategic IT goals and objectives of\nimproving the efficiency and effectiveness of IT management and reducing application maintenance\ncosts. These goals and objectives are articulated in the FDIC\xe2\x80\x99s IT Strategic Plan for 2000\xe2\x80\x932005.\nThe recommendations contained in this report are intended to further DIRM\xe2\x80\x99s efforts in\naccomplishing the FDIC\xe2\x80\x99s strategic IT goals and objectives. When implemented, these\nrecommendations will improve the manner in which DIRM defines, categorizes, and monitors\napplication maintenance expenditures. Such improvements will help promote a more detailed\nanalysis of IT budgets and expenditures in an environment where cost reductions are a high\ncorporate priority.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of the audit were to evaluate DIRM\xe2\x80\x99s planning, categorization, and administration of\napplication maintenance expenditures and to monitor DIRM\xe2\x80\x99s progress in evaluating the feasibility\nof adopting seat management4 at the FDIC. We were unable to monitor critical aspects of the seat\nmanagement initiative because key deliverable products needed by DIRM to evaluate the feasibility\nof seat management had not been completed at the close of our field work. Our office plans to\ncontinue monitoring DIRM\xe2\x80\x99s seat management initiative through our Audit of IT Hardware/Software\nPlanning and Expenditures, Audit No. 2000-920. Thus, we are making no recommendations\nregarding seat management at this time.\n\n4\n Seat management is a method of outsourcing support for an organization\xe2\x80\x99s desktop computing environment. The\nscope of seat management can be tailored to meet the specific needs of an organization and generally involves\nprocuring IT services from a single vendor at predefined performance levels. Seat management can offer many\nbenefits, including improved IT performance, reduced IT costs, and the ability to better predict IT costs.\n\n\n                                                      3\n\x0cTo accomplish the audit\xe2\x80\x99s objective relating to application maintenance, we interviewed senior\nDIRM managers who were responsible for managing the FDIC\xe2\x80\x99s application maintenance program.\nWe also interviewed key DIRM and program office staff who provided the day-to-day maintenance\nof the FDIC\xe2\x80\x99s business applications to determine how application maintenance expenditures were\nbeing planned, categorized, and administered. In addition, we spoke with representatives of\ngovernment oversight agencies, such as the Office of Management and Budget (OMB), the U.S.\nGeneral Accounting Office (GAO), and the General Services Administration (GSA), to obtain an\nunderstanding of how other federal agencies define \xe2\x80\x9capplication maintenance.\xe2\x80\x9d We also researched\nindustry guidance relating to application maintenance and spoke with representatives of two leading\nIT organizations about how their organizations track and report various maintenance expenditures.\n\nIn addition, we judgmentally selected 3 of 52 application maintenance projects contained in the\nFDIC\xe2\x80\x99s 2000 IT budget for a detailed review. The combined value of the FDIC\xe2\x80\x99s 52 application\nmaintenance projects totaled approximately $33.8 million. The value of the three application\nmaintenance projects selected for detailed review was approximately $2.5 million. We selected the\nthree projects based on their high-dollar value and potential for containing non-maintenance\nexpenditures. For each project selected, we interviewed the DIRM and program office staff who\nprovided the day-to-day maintenance of the applications to identify the types of IT activities being\ncategorized as maintenance. We also reviewed contractor status reports, IT plans, employee time\nreports, and budget and expenditure reports to determine how the expenditures related to these\nprojects were being administered. In addition, we attended IT Technical Committee meetings to\nobserve how application maintenance expenditures were being planned for 2001.\n\nWe conducted the audit between April 2000 and November 2000 in accordance with generally\naccepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nWhile DIRM has taken actions that will have a positive effect on the manner in which it manages\nthe FDIC\xe2\x80\x99s application maintenance expenditures, additional opportunities exist to improve\nDIRM\xe2\x80\x99s management of application maintenance expenditures. Specifically, DIRM needs to\nbetter categorize and define application maintenance expenditures to enhance the accuracy of IT\ncost data and strengthen IT budgeting and reporting. Additionally, senior management can\nenhance its administration of IT maintenance by implementing a process to monitor and evaluate\nkey components of application maintenance expenditures.\n\nWe noted that DIRM combined IT expenditures traditionally defined as application maintenance\nwith a variety of expenditures that were not related to application maintenance. Generally, the\nexpenditures unrelated to application maintenance fell into three broad categories: ongoing\noperations, administration, and special projects. Combining non-maintenance expenditures with\nexpenditures traditionally defined as application maintenance overstated the FDIC\xe2\x80\x99s maintenance\ncosts and reduced the FDIC\xe2\x80\x99s ability to effectively manage all of these costs and measure\nperformance.\n\n\n\n\n                                                 4\n\x0cAlthough DIRM developed detailed guidance describing the types of IT activities that should be\ncategorized as application maintenance, the guidance needs to be modified to exclude certain IT\nactivities traditionally defined as ongoing operations. DIRM also needs to work with other divisions\nand offices to develop formal, detailed guidance for budgeting and categorizing application\nmaintenance expenditures. In addition, we identified opportunities for senior DIRM management to\nenhance its administration of application maintenance expenditures. Specifically, DIRM needs to\nimplement a process to further break out and monitor major application maintenance components.\nDIRM combines all of the FDIC\xe2\x80\x99s application maintenance expenditures, including expenditures\nrelated to post-implementation reviews, software bugs, infrastructure upgrades, disaster recovery,\nand software modifications caused by legislative and policy changes, into a single IT category.\n\nOur report contains a series of recommendations designed to improve DIRM\xe2\x80\x99s management of\napplication maintenance expenditures. Our recommendations are based on generally accepted\nindustry standards, FDIC-specific needs, and sound IT management principles espoused in key\nlegislation, such as the Clinger-Cohen Act of 1996, and the Government Performance and Results\nAct (GPRA). These recommendations not only encourage greater accountability but also improve\nDIRM\xe2\x80\x99s ability to plan, estimate, and justify application maintenance resources.\n\n\nPROPERLY CATEGORIZING MAINTENANCE AND NON-MAINTENANCE\nEXPENDITURES WILL ENHANCE THE ACCURACY OF INFORMATION\nTECHNOLOGY COST DATA\n\nWe identified opportunities for DIRM to significantly improve the manner in which it categorizes\nand reports application maintenance expenditures. Specifically, DIRM combined IT expenditures\ntraditionally defined as \xe2\x80\x9capplication maintenance\xe2\x80\x9d with a variety of non-maintenance-related\nexpenditures. Generally, the expenditures not typically related to application maintenance fell into\nthree broad categories: ongoing operations, administrative tasks, and special projects. Combining\nnon-maintenance expenditures with expenditures traditionally defined as application maintenance\noverstated the FDIC\xe2\x80\x99s maintenance costs and, in our opinion, contributed to a general perception at\nthe FDIC that application maintenance expenditures are higher than they should be. Combining\nthese expenditures also prevented DIRM from assessing the true total cost of maintaining the FDIC\xe2\x80\x99s\nbusiness applications and from having accurate cost data on which to base important IT decisions,\nsuch as effective cost-benefit evaluations.\n\nWe judgementally selected 35 of 52 application maintenance projects contained in the FDIC\xe2\x80\x99s 2000\nIT budget to identify the types of IT activities that DIRM categorizes as application maintenance.\nThe combined value of the FDIC\xe2\x80\x99s 52 application maintenance projects totaled approximately $33.8\nmillion. The value of the three application maintenance projects selected for detailed review was\napproximately $2.5 million. We selected the three projects based on their high-dollar value and\npotential for containing non-maintenance-related expenditures. For each project selected we\ninterviewed the DIRM and program office staff who provided the day-to-day maintenance of the\n\n5\n The three application maintenance projects selected for detail review were (1) M0003 Accounts Payable/Purchase\nOrder Maintenance, (2) M9934 Electronic Travel Voucher Payment System Maintenance, and (3) M9915 Federal\nFinancial Institutions Examination Council Support Maintenance.\n\n\n\n                                                       5\n\x0capplications and reviewed the contractor status reports, IT plans, employee time reports, and budget\nand expenditure reports to determine how the expenditures related to these projects were being\ncategorized and reported.\n\nWe also researched industry and government guidance related to application maintenance to identify\nthe types of IT activities that are generally recognized as maintenance. Specifically, we reviewed\npublished definitions of maintenance and related guidance issued by organizations such as the\nNational Institute of Standards and Technology (NIST), the Institute of Electrical and Electronics\nEngineers (IEEE), and the Software Engineering Institute (SEI) of Carnegie Mellon University. We\nalso reviewed guidance issued by government oversight agencies such as OMB and GSA. In\naddition, we reviewed published studies and reports by industry experts and spoke with\nrepresentatives of two leading IT organizations about how they track and report selected IT\nactivities.\n\nBased on our review of the three selected maintenance projects and discussions with DIRM staff, we\nbelieve that DIRM categorized and reported a variety of ongoing operations activities as application\nmaintenance. For example, staff time spent acquiring, validating, and uploading data to FDIC\nsystems from external sources was categorized as application maintenance. We noted several such\nprocesses whereby the FDIC received data on a regularly scheduled basis from other federal\nregulators. Staff time spent providing user support, such as processing user access requests for\ninformation systems, performing data extracts, and providing resolution support for failed financial\ninstitutions,6 was also routinely categorized as application maintenance. In addition, time spent\ngenerating the quarterly Uniform Bank Performance Report (UBPR)7 was categorized as application\nmaintenance. Generating the UBPR required DIRM staff to perform extensive data verification,\nvalidation, and analysis. We noted that the cost to print and mail the UBPR to financial institutions\nand regulators for 2000 alone totaled $150,000 and this cost was categorized as application\nmaintenance.\n\nDIRM also categorized and reported administrative tasks as application maintenance. For example,\nstaff time spent in training, such as corporate diversity training and other corporate-and vendor-\nprovided training programs, was categorized as application maintenance. Time spent developing IT\nplans and budgets, developing employee performance appraisals, and attending general meetings\nwere also routinely categorized as application maintenance. In addition, time spent preparing and\ndelivering presentations on FDIC systems and programs to outside parties, such as other federal\nregulators and foreign deposit insurance agencies, was routinely categorized as application\nmaintenance.\n\nIn addition, staff time spent on special projects was sometimes categorized and reported as\napplication maintenance. For example, time spent by DIRM staff collecting data for the IT\n\n6\n DIRM headquarters staff provided IT support for several financial institution failures during the first half of 2000.\nDIRM officials informed us at the close of our field work that headquarters support for financial institution failures\nwas discontinued in the summer of 2000 and that this work was transitioned to DIRM Dallas.\n7\n  The UBPR is an analytical tool used primarily by bank supervisory and management personnel to evaluate an\ninstitution\xe2\x80\x99s financial condition, trends in financial performance, and performance relative to peers. It contains data\nin the form of ratios, percentages, and dollar amounts computed mainly from Reports of Condition and Income filed\nby financial institutions.\n\n\n                                                           6\n\x0cOverview Analysis as part of the seat management project was categorized as application\nmaintenance. In addition, support for an inter-divisional working group called the Mega Bank\nCommittee, aimed at identifying alternative approaches for resolving large financial institution\nfailures, was categorized as application maintenance.\n\nDIRM staff that we spoke with during our audit generally recognized that the above referenced IT\nactivities were not application maintenance. DIRM staff informed us that the referenced activities\nwere categorized as application maintenance because there were no other IT categories available to\nwhich the costs could be allocated. DIRM used application maintenance as a \xe2\x80\x9ccatch all\xe2\x80\x9d IT category\nfor activities that did not meet the definition of DIRM\xe2\x80\x99s existing IT categories. In addition, because\nDIRM combined all of the referenced non-maintenance activities into a single IT category and did\nnot track them separately, we were unable to quantify either their individual or total cost. However,\nbased on our analysis and discussions with DIRM staff, we concluded that the total cost of these\nactivities is significant.\n\n\nRecommendation\n\nWe recommend that the CIO and Director, Division of Information Resources Management,\n\n(1)    Perform an evaluation of the FDIC\xe2\x80\x99s application maintenance expenditures and re-categorize\n       those expenditures that do not meet the traditional definition of maintenance, such as the\n       ongoing operations, administrative tasks, and special projects discussed in this report.\n\n\nBETTER DEFINING APPLICATION MAINTENANCE WILL STRENGTHEN\nINFORMATION TECHNOLOGY BUDGETING AND REPORTING\n\nAlthough DIRM developed detailed guidance describing the types of IT activities that should be\ncategorized as application maintenance, the guidance needs to be modified to exclude certain IT\nactivities traditionally defined as \xe2\x80\x9congoing operations.\xe2\x80\x9d In addition, DIRM needs to work with other\nFDIC divisions and offices to formalize its detailed application maintenance guidance from a\ncorporate perspective. Formal guidance will improve the efficiency of the IT budget formulation\nprocess, mitigate potential misclassifications of IT expenditures corporate-wide, and provide a\nfoundation for capturing program office costs.\n\nThe IT Technical Committee defined application maintenance in its 2000 IT budget formulation\nprocedures as \xe2\x80\x9cproduction monitoring, emergency fixes, software package version upgrades and\nminor enhancements to an application system or group of application systems.\xe2\x80\x9d In addition, DIRM\ndeveloped a more detailed, but informal, definition of application maintenance. The more detailed\ndefinition is contained in a September 24, 1998, e-mail message from an assistant DIRM Director\nand is intended to provide DIRM\xe2\x80\x99s program managers with guidance as to the level of specificity\nneeded to develop and manage individual maintenance budgets for the FDIC\xe2\x80\x99s business applications.\nDIRM\xe2\x80\x99s detailed definition of application maintenance consisted of:\n\n\n\n\n                                                  7\n\x0c\xe2\x80\xa2      Fixing Problems:       Receiving and responding to problem calls and reports; investigating\n                              problems; and changing, testing, and implementing fixes to problems;\n\xe2\x80\xa2      Cyclical Processes:    Implementing call report and UBPR changes and year-end and\n                              month-end processes;\n\xe2\x80\xa2      Mandatory Maintenance: Regulatory changes and interface changes to ensure continuing\n                              interoperability between systems and external data interchanges;\n\xe2\x80\xa2      Technical Maintenance: Migrating to new product releases, including new operating systems,\n                              databases, commercial off-the-shelf products, etc;\n\xe2\x80\xa2      Production Support:    Running and monitoring batch processes, restoring files, monitoring\n                              performance and utilization;\n\xe2\x80\xa2      Platform Migration:    Re-engineering to new standard platforms, such as from Computer\n                              Associates-Clipper\xc2\xae to Microsoft Visual Basic\xc2\xae/Structured Query\n                              Language (SQL) Server; and\n\xe2\x80\xa2      Disaster Recovery:  8\n                              Planning and testing for disaster recovery.\n\nWe researched industry guidance and published definitions related to maintenance to determine\nwhether the FDIC\xe2\x80\x99s detailed guidance met traditional and generally accepted definitions of\nmaintenance. Specifically, we reviewed published definitions of maintenance and related guidance\nissued by organizations such as NIST, IEEE, SEI, and other recognized industry experts. We also\nreviewed guidance issued by government oversight agencies such as OMB and GSA.\n\nBased on our research, we concluded that DIRM\xe2\x80\x99s detailed guidance for budgeting and categorizing\napplication maintenance expenditures included certain activities that are not traditionally recognized\nas maintenance. For example, DIRM\xe2\x80\x99s guidance defined production support, such as running and\nmonitoring batch processes, restoring files, and monitoring performance and utilization, as\napplication maintenance. DIRM\xe2\x80\x99s guidance also defined scheduled processes, such as UBPR\nprocessing and year-end and month-end processes, as application maintenance. Based on our\nresearch of industry guidance, we concluded that these activities are more appropriately defined as\n\xe2\x80\x9congoing operations.\xe2\x80\x9d\n\nIn addition, DIRM needs to work with other FDIC divisions and offices to formalize their detailed\napplication maintenance guidance from a corporate perspective. FDIC organizations other than\nDIRM perform a variety of maintenance and non-maintenance related IT activities, such as system\nand table maintenance, production support, user acceptance testing of software changes, disaster\nrecovery planning and testing, and help desk support. A recent survey of the FDIC\xe2\x80\x99s IT operations\nconducted by the Gartner Group, Inc.9 confirmed that a significant amount of IT activities are\nperformed by non-DIRM organizations. The Gartner survey estimated that non-DIRM divisions\ndedicated 234 full-time equivalents during 1999 to delivering IT services.\n\nFDIC plans to implement procedures in 2001 that would allow IT expenditures incurred by non-\nDIRM organizations to be captured and related to DIRM\xe2\x80\x99s IT projects. Developing a corporate-wide\n\n\n8\n    DIRM clarified its detailed definition of application maintenance on June 8, 2000, to include disaster recovery.\n9\n The Gartner Group, Inc. is an independent provider of research and analysis on the computer hardware, software,\ncommunications, and related IT industries.\n\n\n                                                            8\n\x0cdefinition of application maintenance before the 2002 IT budget formulation process begins will help\nensure consistent IT cost tracking and reporting for program office maintenance costs in the future.\n\n\nRecommendations\n\nWe recommend that the CIO and Director, Division of Information Resources Management,\n\n(2)    Work with other divisions and offices to develop a detailed definition of application\n       maintenance that can be used to categorize IT expenditures on a corporate-wide basis and\n\n(3)    Incorporate the new detailed definition of application maintenance into DIRM\xe2\x80\x99s 2002 IT\n       budget instructions.\n\n\nFOCUSING ON KEY APPLICATION MAINTENANCE COMPONENTS\nWILL PROVIDE SENIOR DIRM MANAGEMENT VALUABLE DECISION-MAKING\nINFORMATION\n\nDIRM needs to implement procedures to better monitor and evaluate key components of FDIC\xe2\x80\x99s\napplication maintenance expenditures. Improved monitoring of key components can be\naccomplished by grouping similar application maintenance activities into subcategories of\nmaintenance or tracking critical or high-cost IT activities separately. Improved analysis of\napplication maintenance expenditures will allow DIRM to better estimate and plan future\nmaintenance costs and ensure that scarce resources are being deployed in an optimal manner.\nFocusing on key maintenance components will also allow DIRM to more readily identify potential\nproblems, measure the financial performance of its IT activities, and justify resource requirements.\nWithout relevant and meaningful information related to the FDIC\xe2\x80\x99s application maintenance\nexpenditures, DIRM management cannot make informed decisions regarding ongoing systems\nenhancements, replacements, or operations because all maintenance expenditures are combined into\na single IT category.\n\nDIRM established a centralized process to track and report critical information on its IT projects,\nincluding application maintenance projects. DIRM tracked IT project information, such as\nproject status, budget and expenditure data, and schedule information, in a centralized Lotus\nNotes\xc2\xae database. While DIRM\xe2\x80\x99s centralized process provided valuable information on its\napplication maintenance projects, it did not allow DIRM to evaluate key components of\napplication maintenance expenditures. DIRM combined all of the FDIC\xe2\x80\x99s maintenance\nexpenditures, including expenditures related to post-implementation reviews, software bugs,\ninfrastructure upgrades, disaster recovery, minor enhancements, and legislative changes, into the\nsingle IT category of application maintenance. DIRM\xe2\x80\x99s centralized process was used primarily\nto ensure that approved application maintenance budgets were not exceeded.\n\nWe researched industry guidance related to application maintenance to determine how other\norganizations monitor and evaluate maintenance expenditures. We found that many\norganizations had adopted procedures published by recognized IT industry standard-setting\n\n\n\n                                                 9\n\x0cbodies, such as NIST and IEEE, that define multiple categories of maintenance. While no single\nset of maintenance categories was prescribed for all organizations, common categories of\nmaintenance used by industry organizations include:\n\n\xe2\x80\xa2   Corrective Maintenance: To capture costs associated with correcting software errors (\xe2\x80\x9cbugs\xe2\x80\x9d\n                             in a system);\n\xe2\x80\xa2   Adaptive Maintenance: To capture costs associated with software infrastructure upgrades,\n                            such as platform and operating system upgrades;\n\xe2\x80\xa2   Perfective Maintenance: To capture costs associated with modifying software to meet the\n                            evolving and expanding needs of users, such as minor\n                            enhancements and changes caused by new policies and\n                            legislation; and\n\xe2\x80\xa2   Preventive Maintenance: To capture costs associated with efforts to prevent software\n                            problems from occurring.\n\nUsing multiple categories of maintenance allows organizations to determine where their\nmaintenance resources are being deployed and to evaluate those areas where resource\nconsumption appears high. This approach to monitoring maintenance can also be used to justify\nresource requirements and to provide more meaningful information regarding return on\ninvestment. In addition, key IT legislation, such as the Clinger-Cohen Act of 1996 and GPRA,\nrequire agencies to establish performance measures for their IT investments and evaluate how\nwell IT supports agency programs.\n\nAnother approach to effectively monitor application maintenance expenditures is to identify,\ntrack, and evaluate the cost of key IT activities categorized as application maintenance.\nExamples of key IT activities performed by DIRM could include performing post-\nimplementation reviews, planning and testing for disaster recovery, and modifying software due\nto major legislative and policy changes. DIRM staff that we spoke with during our review\nrecognized the need to better monitor and evaluate application maintenance expenditures and, in\nat least two instances, implemented just such an approach.\n\nOne DIRM section developed a maintenance project valued at $553,500 to track the cost of\ninfrastructure upgrades for its client\xe2\x80\x99s business applications during 2001. Another DIRM section\ndeveloped two separate IT projects with a combined value of $680,301 to track the cost of\ninfrastructure upgrades and legislative changes affecting its client\xe2\x80\x99s business applications in\n2001. Although these efforts represent positive steps toward more effective monitoring of\napplication maintenance, they are isolated instances and are not representative of how\nmaintenance expenditures are being tracked and monitored throughout DIRM.\n\nOur research indicates that there is no single approach to effectively monitoring and evaluating\nmaintenance expenditures. However, organizations recognized for their expertise in IT, such as\nSEI, have developed basic techniques for measuring software development and maintenance\ncosts. Sound IT management principles contained in key legislation, such as the Clinger-Cohen\nAct of 1996 and GPRA, also suggest that effective performance measures be implemented to\nmonitor, track, and evaluate IT expenditures. Sound performance measures promote more\neffective accountability over scarce IT resources.\n\n\n                                               10\n\x0cEffective performance measurement procedures can take years to successfully implement.\nIndustry research suggests that initial implementations should be simple and incremental and that\norganizations should not attempt to measure every factor affecting their costs. In addition,\nlimitations in cost accounting and time tracking systems should be considered when planning a\nperformance measurement program. DIRM management should review its application\nmaintenance expenditures and develop procedures to effectively monitor and later re-evaluate\ncomponents of application maintenance that it determines to be key.\n\n\nRecommendation\n\nWe recommend that the CIO and Director, Division of Information Resources Management\n\n(4)    Implement procedures to identify, monitor, and evaluate key components of the FDIC\xe2\x80\x99s\n       application maintenance expenditures. Such procedures should include provisions to\n       periodically re-evaluate components classified as \xe2\x80\x9ckey\xe2\x80\x9d and the manner in which they are\n       monitored.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn January 26, 2001, the CIO and Director, DIRM, provided a written response to the draft audit\nreport. The CIO and DIRM Director agreed with the report\xe2\x80\x99s findings and recommendations and\nprovided the elements necessary for management decisions on all four of the report\xe2\x80\x99s\nrecommendations. DIRM\xe2\x80\x99s response is presented in its entirety in Appendix I of this report.\n\nRegarding recommendation 1, the CIO and DIRM Director indicated that an evaluation of the\nFDIC\xe2\x80\x99s application maintenance expenditures had been completed. As a result of this\nevaluation, DIRM plans to re-categorize a variety of expenditures that were previously classified\nas application maintenance. In addition, DIRM plans to establish three new types of\nmaintenance activities\xe2\x80\x94regulatory, adaptive, and general. DIRM plans to fully implement these\nprocedures by the end of the first quarter of 2001. In addition, DIRM anticipates that the FDIC\xe2\x80\x99s\n2001 application maintenance budgets will decrease from approximately $20 million to about\n$12 million as a result of these planned re-categorizations.\n\nRegarding recommendation 2, DIRM stated that it would present a detailed definition of\napplication maintenance to the IT Technical Committee and obtain the committee\xe2\x80\x99s concurrence\nby the end of the first quarter of 2001. DIRM added that it would coordinate this effort with the\nDivision of Finance (DOF) to facilitate their collection of budget information for 2002. While\nDIRM indicated that it would assist DOF in collecting and tracking corporate-wide maintenance\ncosts, it felt that requiring program divisions and offices to capture and report their expenses\nagainst IT projects was a matter for the Chief Financial Officer (CFO). DIRM stated that it does\nnot have the authority to modify corporate budget development or tracking instructions.\n\nWe agree that capturing and reporting program office costs related to IT projects is a matter that\nis most appropriately addressed by the CFO. As stated in the background section of our report,\nwe reported on the need to track program office costs relating to IT projects and associate these\n\n\n                                                11\n\x0ccosts with DIRM expenditures in three previous OIG audit reports. In the most recent of these\nreports, entitled Audit of the FDIC\xe2\x80\x99s Strategic Planning for Information Technology Resources\n(Audit Report No. 00-013), dated March 31, 2000, we recommended that the CFO work with\nFDIC\xe2\x80\x99s divisions and offices to ensure that full life cycle costs associated with IT investments,\nincluding program office costs, are tracked, reported, and compared to initial estimates. The\nFDIC plans to implement procedures in 2001 to allow IT expenditures incurred by non-DIRM\norganizations to be captured and related to DIRM\xe2\x80\x99s IT projects. When fully implemented, this\nprocess will allow the FDIC to identify and evaluate the true total costs of individual IT projects\nfrom a corporate perspective.\n\nRegarding recommendation 3, DIRM stated that a new detailed definition of application\nmaintenance would be included in DIRM\xe2\x80\x99s 2002 IT budget instructions by June 30, 2001.\n\nRegarding recommendation 4, DIRM indicated that it would establish new IT project types to\nmore accurately track and monitor application maintenance expenditures by the end of the first\nquarter of 2001. In addition, as mentioned under recommendation 1, DIRM plans to establish\nthree new types of maintenance activities\xe2\x80\x94regulatory, adaptive, and general. DIRM will also\nre-evaluate its procedures for identifying, monitoring, and evaluating key components of\napplication maintenance on an annual basis beginning with the end of the third quarter of 2001.\n\n\n\n\n                                                12\n\x0c                                                                                                APPENDIX I\n                                              CORPORATION COMMENTS\n\nFederal Deposit Insurance Corporation\n3501 North Fairfax Dr., Arlington, VA 22226                               Office of the Chief Information Officer\n\n\n                                                               January 26, 2001\n\n\nTO:                   David H. Loewenstein\n                      Assistant Inspector General\n\n\nFROM:                 Donald C. Demitros\n                      Chief Information Officer\n\nSUBJECT:              DIRM Management Response to the Draft OIG Report Entitled, \xe2\x80\x9cAudit of the\n                      FDIC's Application Maintenance Budgets\xe2\x80\x9d (Audit Number 2000-914)\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft\naudit report and generally agrees with the findings and recommendations. Responses to each of\nthe specific recommendations are provided below.\n\nManagement Decision:\n\nRecommendations: We recommend that the CIO and Director, Division of Information\nResources Management,\n\n(1) Perform an evaluation of the FDIC\xe2\x80\x99s application maintenance expenditures and re-categorize\n    those expenditures that do not meet the traditional definition of maintenance, such as the\n    ongoing operations, administrative tasks, and special projects discussed in this report.\n\n      DIRM Response: DIRM has evaluated the FDIC\xe2\x80\x99s application maintenance expenditures.\n      As a result, some of these expenditures have been re-categorized into ongoing operations and\n      will be identified by a sustaining base \xe2\x80\x9cB\xe2\x80\x9d project number. In addition, administrative \xe2\x80\x9cG\xe2\x80\x9d\n      projects will be used to capture costs associated with more administrative types of tasks such\n      as training, staff meetings, performance reviews, and corporate functions. DIRM has also\n      delineated three types of maintenance activities \xe2\x80\x93 regulatory, adaptive, and general. Costs\n      associated with these activities will be reported in our existing \xe2\x80\x9cM\xe2\x80\x9d projects. Attached is a\n      document describing these definitions in more detail.\n\n      After briefing the IT Committee, this re-categorization will be implemented by the end of the\n      first quarter 2001. The current application maintenance budget in 2001 is approximately\n      $20M. After implementing these changes, the budget will be approximately $12M. As a\n      result, other areas of the DIRM budget will have a combined corresponding $8M increase,\n      since we are neither increasing nor decreasing the overall DIRM budget.\n\n\n\n\n                                                     13\n\x0c (2) Work with other divisions and offices to develop a detailed definition of application\n     maintenance that can be used to categorize IT expenditures on a corporate wide basis.\n\n     DIRM Response: Having all divisions capture and report their expenses against specific IT\n     projects is an issue that the OIG should address with the CFO. DIRM does not have the\n     authority to modify budget development or tracking instructions for the Corporation.\n     DIRM currently assists DOF in accomplishing their budget tracking responsibilities, and we\n     look forward to assisting their efforts to collect and track corporate wide maintenance costs.\n\n     In support of this recommendation, DIRM will present the attached definition document to\n     the IT Technical Committee and obtain their concurrence by the end of the first quarter\n     2001. We will coordinate this effort with DOF to aid their collection of budget information\n     for 2002.\n\n\n(3) Incorporate the new detailed definition of application maintenance into DIRM\xe2\x80\x99s 2002 IT\n    budget instructions.\n\n     DIRM Response: The new definition of application maintenance (attached) will be\n     incorporated by June 30, 2001 into DIRM\xe2\x80\x99s 2002 IT budget instructions.\n\n\n(4) Implement procedures to identify, monitor, and evaluate key components of the FDIC\xe2\x80\x99s\n    application maintenance expenditures. Such procedures should include provisions to\n    periodically re-evaluate components classified as \xe2\x80\x9ckey\xe2\x80\x9d and the manner in which they are\n    monitored.\n\n     DIRM Response: Initially, new projects (\xe2\x80\x9cB\xe2\x80\x9d and \xe2\x80\x9cG\xe2\x80\x9d) will be established to more accurately\n     capture costs currently reflected in the application maintenance projects. Each of these\n     projects will have a budget and their expenses will be monitored and reported on a monthly\n     basis according to the procedures already established for all other IT projects. This will be\n     completed by the end of the first quarter 2001. The benefit of any further breakdown of\n     application maintenance expenditures will be evaluated annually, beginning the end of the 3rd\n     Quarter 2001.\n\n\nPlease address any questions to DIRM's Audit Liaison, Rack Campbell, on (703) 516-1422.\n\n\nAttachment\n\ncc: Vijay Deshpande\n    Michael MacDermott\n\n\n\n\n                                                14\n\x0c                                                                                   Attachment I\n\nBusiness Applications Branch (BAB) and Corporate Applications Branch (CAD) Project\nCategories\n\nIn 2001 BAB and CAB work will be charged to the following project categories, which are\ndefined below:\n\n       \xe2\x80\xa2   Development (D Projects)\n       \xe2\x80\xa2   Enhancements (E Projects)\n       \xe2\x80\xa2   General, Adaptive, and Regulatory Maintenance (M Projects)\n       \xe2\x80\xa2   Sustaining Base (B Projects)\n       \xe2\x80\xa2   Administrative (G Projects)\n       \xe2\x80\xa2   Planning (P Projects)\n\nDevelopment Definition (D Projects)\n\nDevelopment encompasses all work on new systems or enhancements to existing systems that\nexceed $200,000 per release. Development work includes all System Development Life Cycle\n(SDLC) phases.\n\nEnhancement Definition (E Projects)\n\nEnhancement encompasses all enhancements to existing systems that do not exceed $200,000\nper release. Enhancement work also includes small-scale development of new systems where the\ntotal cost of development does not exceed $200,000. Enhancement work includes all SDLC\nphases.\n\nMaintenance Definitions (M Projects)\n\nThree categories of maintenance have been defined. Each BAB and CAB section will have a\nsingle adaptive maintenance project. General and regulatory maintenance projects may be\ncombined depending on the nature and scope of the work. Maintenance work includes all\napplicable SDLC phases.\n\n       General Maintenance\n\n       Encompasses changes to production software to correct known problems and to prevent\n       anticipated problems or inefficiencies. General maintenance includes all work required to\n       diagnose problems, and to fix, test, and implement new releases, including emergency\n       changes.\n\n\n\n\n                                              15\n\x0c       Regulatory Maintenance\n\n       Encompasses changes to production software in response to mandatory regulatory or\n       policy initiatives. Examples are Federal Financial Institutes Examination Council\n       (FFIEC) mandated changes to Call Reports and Uniform Bank Performance Report\n       (UBPR) ratios, Section 508 changes, and Privacy Act changes.\n\n       Adaptive Maintenance\n\n       Encompasses testing of and changes to production software to adapt to infrastructure\n       changes such as operating system and Data Base Management System (DBMS) upgrades,\n       security upgrades, new general use Commercial off- the-Shelf (COTS) upgrades (e.g.,\n       new versions of Office), new hardware, etc. This maintenance category is not intended\n       for extensive reengineering projects that combine a platform conversion with significant\n       functional enhancements.\n\nSustaining Base Definition (B Projects)\n\nEncompasses work required to sustain and support ongoing operations (existing systems\noperations) and functions (e.g., budgeting and planning). Examples include supporting routine\nproduction cycles (e.g. Quarterly Call Reports and monthly general ledger processes), disaster\nrecovery testing, File maintenance, post-implementation reports, customer inquiries, audit\nparticipation, budget preparation, and other work in support of a customer's program and\nsystems. Normally, each Application System Management\n\n(ASM) section will have one sustaining base project, although there may be cases where a\nsection has enough support work on a system or group of systems to justify a separate project.\n\nAdministrative Definition (C Projects)\n\nEncompasses limited administrative activities not directly in support of a customer. Examples\ninclude training and conferences, staff meetings, performance reviews, corporate functions (e.g.,\ndiversity meetings, annual awards ceremony, etc.), and time required for individual\nadministrative activities. Each ASM branch will have a single administrative project, which will\nbe closely monitored to ensure that charges are limited to appropriate activities.\n\nPlanning Definition (P Projects)\n\nEncompasses projects where a significant effort is required to define the scope and plans for a\nproject. Work is limited to the planning phase of the SDLC.\n\n\n\n\n                                                16\n\x0c                                                                                                                                           APPENDIX II\n                                            MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual\nreports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are\nnecessary. First, the response must describe for each recommendation\n\n   !    the specific corrective actions already taken, if applicable;\n   !    corrective actions to be taken together with the expected completion dates for their implementation; and\n   !    documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any\ndisagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming\ncompletion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information\nfor management decisions is based on management\xe2\x80\x99s written response to our report.\n\n                                                                                               Documentation                       Management\n Rec.                                                                    Expected             That Will Confirm       Monetary     Decision: Yes\nNumber         Corrective Action: Taken or Planned/Status             Completion Date           Final Action          Benefits        or No\n            Management agreed with the recommendation.\n\n            DIRM indicated that an evaluation of the FDIC\xe2\x80\x99s\n            application maintenance expenditures had been                                     Revised procedures\n            completed. As a result, DIRM plans to re-                                           for categorizing\n    1       categorize a variety of expenditures previously            March 31, 2001             maintenance           N/A             Yes\n            classified as application maintenance. In addition,                               expenditures and IT\n            DIRM plans to establish three new types of                                       budget re-allocations.\n            maintenance activities\xe2\x80\x94regulatory, adaptive, and\n            general. DIRM plans to fully implement these\n            procedures by the end of the first quarter of 2001.\n\n\n\n                                                                              17\n\x0c                                                                                   Documentation                     Management\n Rec.                                                              Expected       That Will Confirm       Monetary   Decision: Yes\nNumber     Corrective Action: Taken or Planned/Status           Completion Date     Final Action          Benefits      or No\n         Management agreed with the recommendation.\n                                                                                  Revised definition of\n         DIRM stated that it would present a detailed                                 application\n         definition of application maintenance to the IT                              maintenance\n  2      Technical Committee and obtain the committee\xe2\x80\x99s         March 31, 2001\n                                                                                   approved by the IT       N/A          Yes\n         concurrence by the end of the first quarter of 2001.                          Technical\n         DIRM indicated its intent to coordinate this effort                          Committee.\n         with the Division of Finance (DOF) to facilitate\n         DOF\xe2\x80\x99s collection of budget information for 2002.\n         Management agreed with the recommendation.                                  2002 IT budget\n                                                                                      instructions\n         DIRM stated that a new detailed definition of                             containing the new\n  3                                                              June 30, 2001                              N/A          Yes\n         application maintenance will be included in                                  definition of\n         DIRM\xe2\x80\x99s 2002 IT budget instructions by June 30,                                application\n         2001.                                                                        maintenance.\n         Management agreed with the recommendation.\n                                                                                     Procedures for\n         DIRM indicated that it would establish new IT                                 identifying,\n         project types to more accurately track and monitor                          monitoring and\n         application maintenance expenditures by the end of                          evaluating key\n         the first quarter of 2001. In addition, as mentioned                        components of\n  4      under recommendation 1, DIRM plans to establish        March 31, 2001                              N/A          Yes\n                                                                                       application\n         three new types of maintenance activities\xe2\x80\x94                                   maintenance,\n         regulatory, adaptive, and general. DIRM will re-                         including provisions\n         evaluate its procedures for identifying, monitoring,                        for periodic re-\n         and evaluating key components of application                                  evaluations.\n         maintenance on an annual basis beginning with the\n         end of the third quarter of 2001.\n\n\n\n\n                                                                      18\n\x0c"